[Owasp-board] Discussion on Proposal 6

Matt Konda matt.konda at owasp.org
Tue Oct 13 04:22:26 UTC 2015


Right.

Do we spend a lot of time with red tape currently?

Matt


On Mon, Oct 12, 2015 at 10:59 PM, Jim Manico <jim.manico at owasp.org> wrote:

> The motivation here is efficiency, removal of red tape and encouragement
> to spend for the mission. Once an expense type is approved the goal of this
> "bill" is to have that expense type auto-approved.
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> On Oct 13, 2015, at 4:26 AM, Matt Konda <matt.konda at owasp.org> wrote:
>
> I'm still considering #6 as are all but Josh and Jim based on this
> discussion thread.
>
> I am supportive of the idea behind it and would vote yes if it came to a
> head.
>
> Honestly, I don't think it is risky but I don't think I grasp the
> motivation - perhaps Josh and/or Paul could elaborate on how this might
> help the Foundation.
>
> Matt
>
>
>
> On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Andrew,
>>
>> I definitely hear you, but we have rules in place to even prevent that.
>> For example Section 4.10 of the Chapter Leader Handbook
>> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
>> says that "Chapter leaders are not authorized to sign contracts or enter
>> into any legal agreements on behalf of the OWASP Foundation".  You will not
>> have any sort of a $50k venue guarantee for services without a signed
>> contract.  This is the control that prevents abuse in that specific
>> situation.  There are many others.
>>
>> Also, keep in mind that they are authorized only so long as "*they have
>> an account balance which covers that expense in full*".  So, if a
>> Chapter or Project has $50k in their account, and wants to spend it on a
>> venue for a conference, why should we stand in their way or require
>> additional approvals if others have done the exact same thing in the past?
>> The limiting factor here is their account balance and we need to empower
>> them to spend it how they desire as long as it is in adherence with the
>> OWASP mission.
>>
>> Tobias: This has not been motioned or seconded yet.  I put it out there
>> for discussion first, since there was not a general consensus on it.
>>
>> ~josh
>>
>> On Fri, Oct 9, 2015 at 3:49 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>>> As our mailing-list got a bit swamped, this might have got lost in the
>>> hundred voting emails, do we have any further discussion elements on this
>>> one?
>>> And if people like vote on this, can they please confirm that they have
>>> at least acknowledged this discussion when casting their vote?
>>> Thanks, Tobias
>>>
>>>
>>>
>>> On 09/10/15 14:17, Andrew van der Stock wrote:
>>>
>>> I am really keen to reduce the amount of bureaucracy involved in expense
>>> management, but this is a really well trodden path in every single SME to
>>> major enterprise.
>>>
>>> My main concern is no upper bounds on pre-approved expenses. This means
>>> that a local chapter that managed to get an approval for a $50k conference
>>> centre fee, say AppSec AU in 2011, would mean that all chapters would be
>>> automatically allowed to claim that expense too. I want to enable that,
>>> whilst not allowing us to be hit with hundreds of large conferences being
>>> organised throughout the year. We simply don't have the staff bandwidth nor
>>> the funds to do that today.
>>>
>>> Typical financial governance is pre-approval for expenses under a
>>> certain dollar value, and a single sign off within the Foundation approval
>>> for expenses between say the cut off and say a $10k limit, and senior
>>> management approval above $10k. In my view, we can hit the home run we all
>>> are looking for, whilst still maintaining good financial governance over
>>> major expenses whilst not ruling out ANY type of expense that a chapter
>>> might be able to come up with.
>>>
>>> My view is that we go through all the paid out expenses over the last
>>> two years, and work out some limits. We can tummy tussle over the exact
>>> limits, but I feel the following would be a good start:
>>>
>>> $0 - $1500 should cover nearly all expenses paid to date along with the
>>> above proposal's list of pre-approved expenses
>>> $1500 to $10k should be an approval level granted to a project
>>> coordinator or chapters coordinator. All expenses are subject to sign off
>>> prior to incurring the expense
>>> $10k ... $100k is within the signing range of the Executive Director,
>>> and would require pre-approval before incurring the expense
>>> Above $100k would require Exec Dir + Board approval.
>>>
>>> That way, local area conference bills of $50k don't hit us without
>>> forewarning, and yet we have the flexibility of allowing LAScon and AppSec
>>> Cali to work without a special rule or budgetary process. The majority of
>>> projectors, catering, room fees, and so on would never be huge amounts of
>>> work for Foundation staff.
>>>
>>> I think it hits what you're trying to achieve without opening us up to
>>> some serious financial problems down the track.
>>>
>>> thanks,
>>> Andrew
>>>
>>> On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>> Here is the current text for proposal 6:
>>>>
>>>> *If a request for funding has been approved for one chapter or project,
>>>> then it can be considered an acceptable expense for all chapters or
>>>> projects.  If they have an account balance which covers that expense in
>>>> full, then they should be considered pre-approved for spending.*
>>>>
>>>> *Tobias:*
>>>> I agree in spirit, but I think this needs clarification and am a bit
>>>> concerned about liberal interpretations of what is the same expense type.
>>>> Expenses tend to not be exactly identical and I like to safe chapter and
>>>> project leads from searching the public expense lists for precedence. As
>>>> one example if a flight ticket is approved for a chapter leader to attend
>>>> the AppSec chapter leader workshop, that should not mean we also approve a
>>>> flight ticket to Bahamas for holiday for another chapter leader.
>>>> Technically both are flight expenses for chapter leaders. (I know I am
>>>> splitting hairs...)
>>>>
>>>> Suggested revision:
>>>> Proposal 6: If a request for funding has been approved for one chapter
>>>> or project, then it can be considered an acceptable expense for all
>>>> chapters or projects. Our operations team shall periodically (at least once
>>>> every 3 months) review the list of published expenses and if new expense
>>>> types come up add them to the published list of acceptable expenses. If the
>>>> chapters or projects have an account balance which covers that expense in
>>>> full, then they should be considered pre-approved for spending.
>>>>
>>>> *Josh:*
>>>> I think that we need to trust people to do the right thing.  To my
>>>> knowledge, we have never had a person try to request reimbursement for a
>>>> trip to the Bahamas because someone got a flight paid for to AppSec.  Also,
>>>> keep in mind that this is a reimbursement process so our Operations Team
>>>> determines whether a request is legit.  To me, it would seem like you're
>>>> putting a lot of extra work on the Ops Team with little added benefit since
>>>> they are still going to have to find a way to write it up so that it will
>>>> not be misinterpreted.  I think we have reasonable controls in place to
>>>> prevent abuse and our liability here is minimal.  I don't see a need to
>>>> revise it in this manner.
>>>>
>>>> *Tobias:*
>>>> Well, I don't think to maintain a list of good examples is
>>>> unnecessarily heavy workload. And in the long run, searching through a long
>>>> unstructured list of published expense claims will be more work load for
>>>> both the staff and the community to check for good expense precedents. If
>>>> we do this one time per quarter, the effort is clearly limited. If we
>>>> (staff and leaders) have to review an unlimited year long list for
>>>> precedent, this seems much more effort.
>>>>
>>>> *Josh:*
>>>> In theory we are supposed to be maintaining a list of good examples
>>>> already.  Some of them are listed in the Chapter and Project Leader
>>>> Handbooks.  That said, they aren't anywhere close to all of the possible
>>>> things one would want to spend their money on.  The idea here was simply to
>>>> maintain the running list of all expenses that are approved or denied
>>>> (proposal 5) and use that to drive spending.  Again, I think this comes
>>>> down to a matter of trust.  We need to trust our Leaders to do the right
>>>> thing.  We need to trust the staff to ensure that the reimbursement is
>>>> legitimate before sending them a check.  With so many complaints about
>>>> difficulties withe the reimbursement process (as much as I've never seen
>>>> them), we should be looking for ways to strip away the red tape, not add
>>>> more of it.
>>>>
>>>> ~josh
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151012/d1b26d2b/attachment-0001.html>


More information about the Owasp-board mailing list